Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2006-05-15

I try to stay away from politically-charged topics in my posts, but many times politics and information security overlap, leaving me no choice. There has been a lot of press recently involving various activities the NSA has undertaken in the past few years. Since 9/11, the US has been willing to sacrifice personal privacy in the name of security; specifically, with increasingly broad monitoring techniques using modern technologies and tools. This has spawned a virtual arms race between privacy advocates and law enforcement, with more advanced monitoring leading to more advanced protection mechanisms, and vice versa.

One of the tools developed by privacy advocates, with the help of the EFF, is The Onion Router, or TOR. At a very high level, this software attaches your computer to a network of other active TOR clients and routes network traffic randomly through these nodes, obfuscating the true source of the activity. While the implementation isn't perfect, it's a good way to provide one layer of obfuscation to requests made from one's computer. Recently, TOR was identified by a three-letter government agency as a potential threat; a tool that could be used for malicious activity, possibly by terrorists. The distribution of this document is restricted, so I am unable to reference it here.

Does anyone else find it ironic that tools being developed to protect individuals' rights in response to draconian monitoring policies are being identified as terrorist threats by the governments instituting such policies? It seems as though such policies are providing ammunition to the threats they are intended to counter. The more governments infringe on the privacy of ordinary citizens, the more prevalent and complex tools that have dual use like TOR will become, aiding terrorists and privacy advocates alike. I fear that this erosion of privacy and and misplaced trust in the tradeoffs between privacy and security will leave us with nothing to show in terms of national security. Our government needs to accurately identify the threat and focus its resources there, rather than on the wholesale collection of data.

Bruce Schneier, who was interviewed by CNN when the USAToday story broke, has a great opinion article on this topic as well. Note that it was written before the recent article that I mention above.

2006-05-14

First, on the subject of administrivia: it's been awhile since this blog has been updated. It's been a busy few months, and I've managed to draft a number of entries, so expect a barrage of updates in the next few weeks.

I've recently completed a paper discussing an effective implementation of address-space randomization. In short, randomizing the location of critical objects in memory has been proposed as a means to counter arbitrary code execution. The PaX and GRSecurity groups have implemented this in the form of a Linux kernel patch, along with a number of other protections. This has been criticized as ineffective by Shacham, et al., amongst others. My solution proposes a simple watcher process that addresses the shortcomings brought forward by this paper. The abstract is pasted below:

The true protection offered by randomization of the memory address space has been widely debated, most notably by Shacham, et al[1]. The limited entropy afforded by memory addresses of 32-bit architectures, specifically, allows for brute-force discovery of the randomized locations of critical system objects. In this paper, it is shown that a watcher process can successfully stymie attempts to remotely discover randomized memory address offsets. In this implementation, address-space randomization becomes an effective protection measure against arbitrary code execution.

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.